Japan s activities for security and safety of IoT systems

Transcription

1 Japan s activities for security and safety of IoT systems March 20, 2017 Takashi Wada Vice President, Software Reliability Enhancement Center (SEC) Information-Technology Promotion Agency (IPA), Japan Frei verwendbar

2 What is IPA? IPA: Information-technology Promotion Agency, Japan Established in 1970 by the Act on Facilitation of Information Processing, and reorganized in 2004 as an Independent Administrative Agency Working with Ministry of Economy, Trade and Industry (METI) Three Missions: Aiming to realize a Dependable IT society 2

3 IoT Security Guidelines in Japan Japanese government and IoT Accerelation Consortium formulated the IoT security guidelines in July IoT security guidelines consist of 5 major principles corresponding to 5 phases (policy setting, analyze, design, connect, operate & maintain) in IoT lifecycle Before this, IPA formulated developers guidelines to promote safe and secure IoT products and services. Most content of IPA guidelines were incorporated into the government s guidelines. 3

4 Operation Maintenance Design Analysis Policy IPA s Development guideline contents 17 guidelines which CEO, management, developers and operators should consider CEO Management Operators Developers Major item G/L# Guidelines Making corporate 1 Formulating the basic policies for Security/Safety efforts for the 2 Reviewing systems and human resources for Security/Safety Security/Safety of the Smart-society 3 Preparing for internal frauds and mistakes 4 Identifying the objects to be protected Understanding the 5 Assuming the risks caused by connections risks of the Smartsociety 6 Assuming the risks spread through connections 7 Understanding physical security risks Considering the designs to protect the objects to be protected 8 Designing to enable both individual and total protection 9 Designing so as not to cause trouble in other connected entities 10 Ensuring consistency between the designs of safety and security 11 Designing to ensure Security/Safety even when connected to unspecified entities 12 Verifying/validating the designs of safety and security Considering the designs to ensure protection even after market release 13 Implementing the functions to identify and record own status 14 Implementing the functions to maintain Security/Safety even after the passage of time Operators Protecting with relevant parties 15 Identifying IoT risks and providing information after market release 16 Informing relevant business operators of the procedures to be followed after market release 17 Making the risks caused by connections known to general users 4

5 Security and Safety both matter Both origins come from same Ancient Latin Secrus (safety) Security Protection of information property from hazard (outside attack) Safety Protection of life and tangible assets from hazard (inside failure) Safety regulation is largely in place (automobile, railway, control system ) but security regulation is not (for IoT!) Users hazard attacks security safety 5 5

6 Action for Global Safe & Secure IoT System International Standardization of Security/Safety requirement for IoT Framework Possible Work Item Coordinate priority and concept for possible international standard Level Japan Germany Requirement, Vocabulary, Recommended Action IoT Security Guidelines Industrie 4.0 Security Guidelines Architecture, Specification Technical Reference of the Guidelines RAMI 4.0? Work Together for Safe and Secure IoT Systems 6